Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Digital Unix Security Problem

From: tom () sba miami edu (Tom Leffingwell)
Date: Wed, 12 Nov 1997 14:51:40 -0500

        I tried reporting this to DEC, but because I didn't have a
software support agreement number handy, they wouldn't let me report
anything, then they placed me on hold for 30 minutes, then they
disconnected me.

Tip to DEC: Allow people to report security problems without paying for
            software support.  Or at least allow someone other than the
            designated contact to report security problems.

Version Affected:  Digital UNIX 4.0B *with* patch kit 5
                   Unpatched 4.0B is not vunerable to this particular
                   problem, but it is to others.

Impact:  Local users may overwrite system files, and possibly obtain root.

Problem:

        Patch kit 5 included a replacement xterm because the old one had a
bug, too.  They replaced it with another that had a bigger problem.  You
can cause a segmentation fault in xterm simply by setting your DISPLAY
variable to a display that you aren't allowed to connect to or one that
doesn't exist.  Start xterm, and you get a core file.

        Xterm is installed setuid root.  I'm not 100% sure what happens,
since DEC doesn't release the source for patches.  It does dump core at
XtOpenApplication(), however.

        Even with a buffer overflow, I've never seen anyone exploit on one
DU. If anyone has done so sucessfully, plese email me.  Despite that, a
person with basic knowledge of unix could easily do something like:

#/!bin/csh
cd /tmp
ln -s /etc/passwd /tmp/core
setenv DISPLAY abcdefghi
/usr/bin/X11/xterm

        The contents of /etc/passwd becomes xterm's core, preventing
further logins.  Obviously you could do things without an immediate impact
such as ln -s /vmunix /tmp/core.


Workaround:

        Needless to say, change permissions on xterm, have the users run
dxterm, its better anyway.

___________________________________________________________________

                          Tom Leffingwell
                        University of Miami
                          (305) 284-1337

Systems Administrator                   Support Manager
Information Technology                  School of Business
Ungar 138                               Jenkins 314M
___________________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: